Project: fastjson
SpotBugs version: 4.8.3
Code analyzed:
31858 lines of code analyzed, in 273 classes, in 18 packages.
Metric | Total | Density* |
---|---|---|
High Priority Warnings | 31 | 0.97 |
Medium Priority Warnings | 243 | 7.63 |
Total Warnings | 274 | 8.60 |
(* Defects per Thousand lines of non-commenting source statements)
Warning Type | Number |
---|---|
Bad practice Warnings | 44 |
Correctness Warnings | 7 |
Malicious code vulnerability Warnings | 155 |
Multithreaded correctness Warnings | 17 |
Performance Warnings | 11 |
Dodgy code Warnings | 40 |
Total | 274 |
Click on a warning row to see full context information.
Code | Warning |
---|---|
CN | com.alibaba.fastjson.JSONArray.clone() does not call super.clone() |
CN | com.alibaba.fastjson.JSONObject.clone() does not call super.clone() |
CT | Exception thrown in class com.alibaba.fastjson.JSONArray at new com.alibaba.fastjson.JSONArray(List) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONObject at new com.alibaba.fastjson.JSONObject(Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONPath at new com.alibaba.fastjson.JSONPath(String, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONPath$PropertyFilter at new com.alibaba.fastjson.JSONPath$PropertyFilter(String, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONPath$ValueSegment at new com.alibaba.fastjson.JSONPath$ValueSegment(String, boolean, Object, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONValidator$ReaderValidator at new com.alibaba.fastjson.JSONValidator$ReaderValidator(Reader) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.JSONValidator$UTF8InputStreamValidator at new com.alibaba.fastjson.JSONValidator$UTF8InputStreamValidator(InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.asm.ClassReader at new com.alibaba.fastjson.asm.ClassReader(InputStream, boolean) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.serializer.FieldSerializer at new com.alibaba.fastjson.serializer.FieldSerializer(Class, FieldInfo) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.support.spring.JSONPResponseBodyAdvice at new com.alibaba.fastjson.support.spring.JSONPResponseBodyAdvice() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(int, float) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.AntiCollisionHashMap at new com.alibaba.fastjson.util.AntiCollisionHashMap(Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.FieldInfo at new com.alibaba.fastjson.util.FieldInfo(String, Method, Field, Class, Type, int, int, int, JSONField, JSONField, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.FieldInfo at new com.alibaba.fastjson.util.FieldInfo(String, Method, Field, Class, Type, int, int, int, JSONField, JSONField, String, Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
CT | Exception thrown in class com.alibaba.fastjson.util.GenericArrayTypeImpl at new com.alibaba.fastjson.util.GenericArrayTypeImpl(Type) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. |
DMI | Random object created and used only once in new com.alibaba.fastjson.util.AntiCollisionHashMap() |
DMI | Random object created and used only once in new com.alibaba.fastjson.util.AntiCollisionHashMap(int, float) |
ES | Comparison of String objects using == or != in com.alibaba.fastjson.parser.DefaultJSONParser.parse(PropertyProcessable, Object) |
ES | Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[]) |
ES | Comparison of String parameter using == or != in com.alibaba.fastjson.parser.deserializer.Jdk8DateCodec.write(SerializeWriter, TemporalAccessor, String) |
ES | Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.MapDeserializer.parseMap(DefaultJSONParser, Map, Type, Object, int) |
ES | Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.SqlDateDeserializer.castTimestamp(DefaultJSONParser, Type, Object, Object) |
ES | Comparison of String objects using == or != in com.alibaba.fastjson.parser.deserializer.StackTraceElementDeserializer.deserialze(DefaultJSONParser, Type, Object) |
Eq | com.alibaba.fastjson.serializer.FieldSerializer defines compareTo(FieldSerializer) and uses Object.equals() |
Eq | com.alibaba.fastjson.util.FieldInfo defines compareTo(FieldInfo) and uses Object.equals() |
NP | com.alibaba.fastjson.JSONArray.getBoolean(int) has Boolean return type and returns explicit null |
NP | com.alibaba.fastjson.JSONObject.getBoolean(String) has Boolean return type and returns explicit null |
NP | com.alibaba.fastjson.util.TypeUtils.castToBoolean(Object) has Boolean return type and returns explicit null |
PA | Primitive field com.alibaba.fastjson.JSON.DEFAULT_GENERATE_FEATURE is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.JSON.DEFAULT_PARSER_FEATURE is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.JSON.DEFAULT_TYPE_KEY is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.asm.ByteVector.data is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.asm.ByteVector.length is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.parser.DefaultJSONParser.resolveStatus is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.parser.JSONLexerBase.matchStat is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
PA | Primitive field com.alibaba.fastjson.serializer.SerializeConfig.propertyNamingStrategy is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility. |
RC | Suspicious comparison of Boolean references in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig) |
RC | Suspicious comparison of Boolean references in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig) |
Se | com.alibaba.fastjson.util.TypeUtils$MethodInheritanceComparator implements Comparator but not Serializable |
Code | Warning |
---|---|
NP | Possible null pointer dereference of simpleDateFormat in com.alibaba.fastjson.parser.deserializer.AbstractDateDeserializer.deserialze(DefaultJSONParser, Type, Object, String, int) on exception path |
NP | Possible null pointer dereference of fieldInfo in com.alibaba.fastjson.serializer.JavaBeanSerializer.getFieldValuesMap(Object) |
NP | Possible null pointer dereference of TypeUtils.oracleDateMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String) |
NP | Possible null pointer dereference of TypeUtils.oracleTimestampMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String) |
RCN | Nullcheck of fieldInfoList at line 1509 of value previously dereferenced in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.createInstance(Map, ParserConfig) |
RpC | Repeated conditional test in com.alibaba.fastjson.JSONPath$JSONPathParser.parseArrayAccessFilter(boolean) |
USELESS_STRING | Invocation of toString on paramNames in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[]) |
Code | Warning |
---|---|
DP | new com.alibaba.fastjson.parser.deserializer.ASMDeserializerFactory(ClassLoader) creates a com.alibaba.fastjson.util.ASMClassLoader classloader, which should be performed within a doPrivileged block |
DP | new com.alibaba.fastjson.serializer.ASMSerializerFactory() creates a com.alibaba.fastjson.util.ASMClassLoader classloader, which should be performed within a doPrivileged block |
EI | com.alibaba.fastjson.JSONObject.getInnerMap() may expose internal representation by returning JSONObject.map |
EI | com.alibaba.fastjson.JSONPObject.getParameters() may expose internal representation by returning JSONPObject.parameters |
EI | com.alibaba.fastjson.parser.DefaultJSONParser.getConfig() may expose internal representation by returning DefaultJSONParser.config |
EI | com.alibaba.fastjson.parser.DefaultJSONParser.getDateFormat() may expose internal representation by returning DefaultJSONParser.dateFormat |
EI | com.alibaba.fastjson.parser.DefaultJSONParser.getExtraProcessors() may expose internal representation by returning DefaultJSONParser.extraProcessors |
EI | com.alibaba.fastjson.parser.DefaultJSONParser.getExtraTypeProviders() may expose internal representation by returning DefaultJSONParser.extraTypeProviders |
EI | com.alibaba.fastjson.parser.DefaultJSONParser.getResolveTaskList() may expose internal representation by returning DefaultJSONParser.resolveTaskList |
EI | com.alibaba.fastjson.parser.JSONLexerBase.getCalendar() may expose internal representation by returning JSONLexerBase.calendar |
EI | com.alibaba.fastjson.parser.JSONLexerBase.getTimeZone() may expose internal representation by returning JSONLexerBase.timeZone |
EI | com.alibaba.fastjson.parser.JSONReaderScanner.sub_chars(int, int) may expose internal representation by returning JSONReaderScanner.buf |
EI | com.alibaba.fastjson.parser.JSONScanner.sub_chars(int, int) may expose internal representation by returning JSONLexerBase.sbuf |
EI | com.alibaba.fastjson.parser.ParserConfig.getDefaultClassLoader() may expose internal representation by returning ParserConfig.defaultClassLoader |
EI | com.alibaba.fastjson.parser.ParserConfig.getDerializers() may expose internal representation by returning ParserConfig.deserializers |
EI | com.alibaba.fastjson.parser.ParserConfig.getDeserializers() may expose internal representation by returning ParserConfig.deserializers |
EI | com.alibaba.fastjson.serializer.JSONSerializer.getDateFormat() may expose internal representation by returning JSONSerializer.dateFormat |
EI | com.alibaba.fastjson.serializer.JSONSerializer.getMapping() may expose internal representation by returning JSONSerializer.config |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getAfterFilters() may expose internal representation by returning SerializeFilterable.afterFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getBeforeFilters() may expose internal representation by returning SerializeFilterable.beforeFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getContextValueFilters() may expose internal representation by returning SerializeFilterable.contextValueFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getLabelFilters() may expose internal representation by returning SerializeFilterable.labelFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getNameFilters() may expose internal representation by returning SerializeFilterable.nameFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getPropertyFilters() may expose internal representation by returning SerializeFilterable.propertyFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getPropertyPreFilters() may expose internal representation by returning SerializeFilterable.propertyPreFilters |
EI | com.alibaba.fastjson.serializer.SerializeFilterable.getValueFilters() may expose internal representation by returning SerializeFilterable.valueFilters |
EI | com.alibaba.fastjson.serializer.SimplePropertyPreFilter.getExcludes() may expose internal representation by returning SimplePropertyPreFilter.excludes |
EI | com.alibaba.fastjson.serializer.SimplePropertyPreFilter.getIncludes() may expose internal representation by returning SimplePropertyPreFilter.includes |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getClassSerializeFilters() may expose internal representation by returning FastJsonConfig.classSerializeFilters |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getFeatures() may expose internal representation by returning FastJsonConfig.features |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getParserConfig() may expose internal representation by returning FastJsonConfig.parserConfig |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getSerializeConfig() may expose internal representation by returning FastJsonConfig.serializeConfig |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getSerializeFilters() may expose internal representation by returning FastJsonConfig.serializeFilters |
EI | com.alibaba.fastjson.support.config.FastJsonConfig.getSerializerFeatures() may expose internal representation by returning FastJsonConfig.serializerFeatures |
EI | com.alibaba.fastjson.support.geo.Feature.getGeometry() may expose internal representation by returning Feature.geometry |
EI | com.alibaba.fastjson.support.geo.Feature.getProperties() may expose internal representation by returning Feature.properties |
EI | com.alibaba.fastjson.support.geo.FeatureCollection.getFeatures() may expose internal representation by returning FeatureCollection.features |
EI | com.alibaba.fastjson.support.geo.Geometry.getBbox() may expose internal representation by returning Geometry.bbox |
EI | com.alibaba.fastjson.support.geo.GeometryCollection.getGeometries() may expose internal representation by returning GeometryCollection.geometries |
EI | com.alibaba.fastjson.support.geo.LineString.getCoordinates() may expose internal representation by returning LineString.coordinates |
EI | com.alibaba.fastjson.support.geo.MultiLineString.getCoordinates() may expose internal representation by returning MultiLineString.coordinates |
EI | com.alibaba.fastjson.support.geo.MultiPoint.getCoordinates() may expose internal representation by returning MultiPoint.coordinates |
EI | com.alibaba.fastjson.support.geo.MultiPolygon.getCoordinates() may expose internal representation by returning MultiPolygon.coordinates |
EI | com.alibaba.fastjson.support.geo.Polygon.getCoordinates() may expose internal representation by returning Polygon.coordinates |
EI | com.alibaba.fastjson.support.jaxrs.FastJsonProvider.getFastJsonConfig() may expose internal representation by returning FastJsonProvider.fastJsonConfig |
EI | com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.getFastJsonConfig() may expose internal representation by returning Retrofit2ConverterFactory.fastJsonConfig |
EI | com.alibaba.fastjson.support.spring.FastJsonContainer.getFilters() may expose internal representation by returning FastJsonContainer.filters |
EI | com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter.getFastJsonConfig() may expose internal representation by returning FastJsonHttpMessageConverter.fastJsonConfig |
EI | com.alibaba.fastjson.support.spring.FastJsonJsonView.getFastJsonConfig() may expose internal representation by returning FastJsonJsonView.fastJsonConfig |
EI | com.alibaba.fastjson.support.spring.FastJsonRedisSerializer.getFastJsonConfig() may expose internal representation by returning FastJsonRedisSerializer.fastJsonConfig |
EI | com.alibaba.fastjson.support.spring.PropertyPreFilters.getFilters() may expose internal representation by returning PropertyPreFilters.filters |
EI | com.alibaba.fastjson.support.spring.messaging.MappingFastJsonMessageConverter.getFastJsonConfig() may expose internal representation by returning MappingFastJsonMessageConverter.fastJsonConfig |
EI | com.alibaba.fastjson.util.ParameterizedTypeImpl.getActualTypeArguments() may expose internal representation by returning ParameterizedTypeImpl.actualTypeArguments |
EI2 | new com.alibaba.fastjson.JSONArray(List) may expose internal representation by storing an externally mutable object into JSONArray.list |
EI2 | new com.alibaba.fastjson.JSONObject(Map) may expose internal representation by storing an externally mutable object into JSONObject.map |
EI2 | new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) may expose internal representation by storing an externally mutable object into JSONPath.parserConfig |
EI2 | new com.alibaba.fastjson.JSONPath(String, SerializeConfig, ParserConfig, boolean) may expose internal representation by storing an externally mutable object into JSONPath.serializeConfig |
EI2 | new com.alibaba.fastjson.JSONReader(DefaultJSONParser) may expose internal representation by storing an externally mutable object into JSONReader.parser |
EI2 | new com.alibaba.fastjson.asm.MethodWriter(ClassWriter, int, String, String, String, String[]) may expose internal representation by storing an externally mutable object into MethodWriter.cw |
EI2 | new com.alibaba.fastjson.asm.TypeCollector(String, Class[]) may expose internal representation by storing an externally mutable object into TypeCollector.parameterTypes |
EI2 | new com.alibaba.fastjson.parser.DefaultJSONParser(Object, JSONLexer, ParserConfig) may expose internal representation by storing an externally mutable object into DefaultJSONParser.config |
EI2 | com.alibaba.fastjson.parser.DefaultJSONParser.setConfig(ParserConfig) may expose internal representation by storing an externally mutable object into DefaultJSONParser.config |
EI2 | com.alibaba.fastjson.parser.DefaultJSONParser.setDateFormat(DateFormat) may expose internal representation by storing an externally mutable object into DefaultJSONParser.dateFormat |
EI2 | com.alibaba.fastjson.parser.JSONLexerBase.setTimeZone(TimeZone) may expose internal representation by storing an externally mutable object into JSONLexerBase.timeZone |
EI2 | com.alibaba.fastjson.parser.ParserConfig.setDefaultClassLoader(ClassLoader) may expose internal representation by storing an externally mutable object into ParserConfig.defaultClassLoader |
EI2 | new com.alibaba.fastjson.parser.deserializer.EnumCreatorDeserializer(Method) may expose internal representation by storing an externally mutable object into EnumCreatorDeserializer.creator |
EI2 | new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(DefaultJSONParser, List, int) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.list |
EI2 | new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(DefaultJSONParser, List, int) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.parser |
EI2 | new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(Collection) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.collection |
EI2 | new com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer(Map, Object) may expose internal representation by storing an externally mutable object into ResolveFieldDeserializer.map |
EI2 | new com.alibaba.fastjson.serializer.ArraySerializer(Class, ObjectSerializer) may expose internal representation by storing an externally mutable object into ArraySerializer.compObjectSerializer |
EI2 | new com.alibaba.fastjson.serializer.BeanContext(Class, FieldInfo) may expose internal representation by storing an externally mutable object into BeanContext.fieldInfo |
EI2 | new com.alibaba.fastjson.serializer.DoubleSerializer(DecimalFormat) may expose internal representation by storing an externally mutable object into DoubleSerializer.decimalFormat |
EI2 | new com.alibaba.fastjson.serializer.FloatCodec(DecimalFormat) may expose internal representation by storing an externally mutable object into FloatCodec.decimalFormat |
EI2 | new com.alibaba.fastjson.serializer.JSONSerializer(SerializeWriter, SerializeConfig) may expose internal representation by storing an externally mutable object into JSONSerializer.config |
EI2 | com.alibaba.fastjson.serializer.JSONSerializer.setDateFormat(DateFormat) may expose internal representation by storing an externally mutable object into JSONSerializer.dateFormat |
EI2 | new com.alibaba.fastjson.serializer.SerializeBeanInfo(Class, JSONType, String, String, int, FieldInfo[], FieldInfo[]) may expose internal representation by storing an externally mutable object into SerializeBeanInfo.fields |
EI2 | new com.alibaba.fastjson.serializer.SerializeBeanInfo(Class, JSONType, String, String, int, FieldInfo[], FieldInfo[]) may expose internal representation by storing an externally mutable object into SerializeBeanInfo.sortedFields |
EI2 | new com.alibaba.fastjson.serializer.SerializeWriter(Writer, int) may expose internal representation by storing an externally mutable object into SerializeWriter.writer |
EI2 | new com.alibaba.fastjson.serializer.SerializeWriter(Writer, int, SerializerFeature[]) may expose internal representation by storing an externally mutable object into SerializeWriter.writer |
EI2 | com.alibaba.fastjson.support.config.FastJsonConfig.setClassSerializeFilters(Map) may expose internal representation by storing an externally mutable object into FastJsonConfig.classSerializeFilters |
EI2 | com.alibaba.fastjson.support.config.FastJsonConfig.setParserConfig(ParserConfig) may expose internal representation by storing an externally mutable object into FastJsonConfig.parserConfig |
EI2 | com.alibaba.fastjson.support.config.FastJsonConfig.setSerializeConfig(SerializeConfig) may expose internal representation by storing an externally mutable object into FastJsonConfig.serializeConfig |
EI2 | com.alibaba.fastjson.support.geo.Feature.setGeometry(Geometry) may expose internal representation by storing an externally mutable object into Feature.geometry |
EI2 | com.alibaba.fastjson.support.geo.Feature.setProperties(Map) may expose internal representation by storing an externally mutable object into Feature.properties |
EI2 | com.alibaba.fastjson.support.geo.Geometry.setBbox(double[]) may expose internal representation by storing an externally mutable object into Geometry.bbox |
EI2 | com.alibaba.fastjson.support.geo.LineString.setCoordinates(double[][]) may expose internal representation by storing an externally mutable object into LineString.coordinates |
EI2 | com.alibaba.fastjson.support.geo.MultiLineString.setCoordinates(double[][][]) may expose internal representation by storing an externally mutable object into MultiLineString.coordinates |
EI2 | com.alibaba.fastjson.support.geo.MultiPoint.setCoordinates(double[][]) may expose internal representation by storing an externally mutable object into MultiPoint.coordinates |
EI2 | com.alibaba.fastjson.support.geo.MultiPolygon.setCoordinates(double[][][][]) may expose internal representation by storing an externally mutable object into MultiPolygon.coordinates |
EI2 | com.alibaba.fastjson.support.geo.Polygon.setCoordinates(double[][][]) may expose internal representation by storing an externally mutable object into Polygon.coordinates |
EI2 | new com.alibaba.fastjson.support.jaxrs.FastJsonProvider(Class[]) may expose internal representation by storing an externally mutable object into FastJsonProvider.clazzes |
EI2 | com.alibaba.fastjson.support.jaxrs.FastJsonProvider.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonProvider.fastJsonConfig |
EI2 | new com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory(FastJsonConfig) may expose internal representation by storing an externally mutable object into Retrofit2ConverterFactory.fastJsonConfig |
EI2 | com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into Retrofit2ConverterFactory.fastJsonConfig |
EI2 | com.alibaba.fastjson.support.spring.FastJsonContainer.setFilters(PropertyPreFilters) may expose internal representation by storing an externally mutable object into FastJsonContainer.filters |
EI2 | com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonHttpMessageConverter.fastJsonConfig |
EI2 | com.alibaba.fastjson.support.spring.FastJsonJsonView.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonJsonView.fastJsonConfig |
EI2 | com.alibaba.fastjson.support.spring.FastJsonJsonView.setRenderedAttributes(Set) may expose internal representation by storing an externally mutable object into FastJsonJsonView.renderedAttributes |
EI2 | com.alibaba.fastjson.support.spring.FastJsonRedisSerializer.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into FastJsonRedisSerializer.fastJsonConfig |
EI2 | com.alibaba.fastjson.support.spring.PropertyPreFilters.setFilters(List) may expose internal representation by storing an externally mutable object into PropertyPreFilters.filters |
EI2 | new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0 |
EI2 | new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters, Class, String[]) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0 |
EI2 | new com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter(PropertyPreFilters, String[]) may expose internal representation by storing an externally mutable object into PropertyPreFilters$MySimplePropertyPreFilter.this$0 |
EI2 | com.alibaba.fastjson.support.spring.messaging.MappingFastJsonMessageConverter.setFastJsonConfig(FastJsonConfig) may expose internal representation by storing an externally mutable object into MappingFastJsonMessageConverter.fastJsonConfig |
EI2 | new com.alibaba.fastjson.util.ParameterizedTypeImpl(Type[], Type, Type) may expose internal representation by storing an externally mutable object into ParameterizedTypeImpl.actualTypeArguments |
MC | Overridable method init is called from method clone() in class com.alibaba.fastjson.util.AntiCollisionHashMap. |
MS | com.alibaba.fastjson.JSON.DEFAULT_GENERATE_FEATURE isn't final and cannot be protected from malicious code |
MS | com.alibaba.fastjson.JSON.DEFAULT_PARSER_FEATURE isn't final and cannot be protected from malicious code |
MS | com.alibaba.fastjson.JSON.DEFAULT_TYPE_KEY isn't final and cannot be protected from malicious code |
MS | com.alibaba.fastjson.JSON.DEFFAULT_DATE_FORMAT isn't final but should be |
MS | com.alibaba.fastjson.JSON.defaultLocale isn't final but should be |
MS | com.alibaba.fastjson.JSON.defaultTimeZone isn't final but should be |
MS | com.alibaba.fastjson.JSONPObject.SECURITY_PREFIX isn't final but should be |
MS | com.alibaba.fastjson.parser.JSONLexerBase.digits should be package protected |
MS | com.alibaba.fastjson.parser.JSONLexerBase.typeFieldName should be package protected |
MS | com.alibaba.fastjson.parser.ParserConfig.DENYS should be package protected |
MS | com.alibaba.fastjson.parser.ParserConfig.DENYS_INTERNAL should be package protected |
MS | com.alibaba.fastjson.parser.ParserConfig.global isn't final but should be |
MS | com.alibaba.fastjson.parser.deserializer.MapDeserializer.instance isn't final but should be |
MS | com.alibaba.fastjson.parser.deserializer.OptionalCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.AnnotationSerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.EnumerationSerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.FloatCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.GuavaCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.IntegerCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.JSONAwareSerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.JSONSerializableSerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.LongCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.MapSerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.PrimitiveArraySerializer.instance isn't final but should be |
MS | com.alibaba.fastjson.serializer.StringCodec.instance isn't final but should be |
MS | com.alibaba.fastjson.support.jaxrs.FastJsonProvider.DEFAULT_UNREADABLES should be package protected |
MS | com.alibaba.fastjson.support.jaxrs.FastJsonProvider.DEFAULT_UNWRITABLES should be package protected |
MS | com.alibaba.fastjson.support.spring.FastJsonpResponseBodyAdvice.DEFAULT_JSONP_QUERY_PARAM_NAMES should be package protected |
MS | com.alibaba.fastjson.util.Base64.CA should be package protected |
MS | com.alibaba.fastjson.util.Base64.IA should be package protected |
MS | com.alibaba.fastjson.util.IOUtils.ASCII_CHARS is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.CA is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.DIGITS is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.firstIdentifierFlags is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.identifierFlags is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.replaceChars is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.specicalFlags_doubleQuotes is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.specicalFlags_singleQuotes is a mutable array |
MS | com.alibaba.fastjson.util.IOUtils.DEFAULT_PROPERTIES is a mutable collection |
MS | com.alibaba.fastjson.util.IOUtils.IA should be package protected |
MS | com.alibaba.fastjson.util.IOUtils.specicalFlags_doubleQuotesFlags should be package protected |
MS | com.alibaba.fastjson.util.IOUtils.specicalFlags_singleQuotesFlags should be package protected |
MS | com.alibaba.fastjson.util.TypeUtils.castToTimestampFunction isn't final but should be |
MS | com.alibaba.fastjson.util.TypeUtils.compatibleWithFieldName isn't final but should be refactored to be so |
MS | com.alibaba.fastjson.util.TypeUtils.compatibleWithJavaBean isn't final but should be refactored to be so |
REFLC | Public method com.alibaba.fastjson.parser.JSONLexerBase.newCollectionByType(Class) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class |
REFLC | Public method com.alibaba.fastjson.parser.deserializer.MapDeserializer.createMap(Type, int) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class |
REFLC | Public method com.alibaba.fastjson.util.TypeUtils.cast(Object, Class, ParserConfig) uses reflection to create a class it gets in its parameter which could increase the accessibility of any class |
Code | Warning |
---|---|
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.oracleDateMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.oracleTimestampMethod in com.alibaba.fastjson.util.TypeUtils.castToDate(Object, String) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_ManyToMany in com.alibaba.fastjson.util.TypeUtils.isAnnotationPresentManyToMany(Method) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_OneToMany in com.alibaba.fastjson.util.TypeUtils.isAnnotationPresentOneToMany(Method) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.method_HibernateIsInitialized in com.alibaba.fastjson.util.TypeUtils.isHibernateInitialized(Object) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.class_JacksonCreator in com.alibaba.fastjson.util.TypeUtils.isJacksonCreator(Method) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.pathClass in com.alibaba.fastjson.util.TypeUtils.isPath(Class) |
LI | Incorrect lazy initialization of static field com.alibaba.fastjson.util.TypeUtils.OPTIONAL_EMPTY in com.alibaba.fastjson.util.TypeUtils.optionalEmpty(Type) |
LI | Incorrect lazy initialization and update of static field com.alibaba.fastjson.util.TypeUtils.class_XmlAccessType in com.alibaba.fastjson.util.TypeUtils.isXmlField(Class) |
RV | Return value of putIfAbsent is ignored, but key is reused in new com.alibaba.fastjson.TypeReference(Type[]) |
RV | Return value of putIfAbsent is ignored, but type is reused in com.alibaba.fastjson.TypeReference.intern(ParameterizedTypeImpl) |
RV | Return value of putIfAbsent is ignored, but type is reused in new com.alibaba.fastjson.TypeReference() |
VO | Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.clear() |
VO | Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.put(Object, Object) |
VO | Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.putForNullKey(Object) |
VO | Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.removeEntryForKey(Object) |
VO | Increment of volatile field com.alibaba.fastjson.util.AntiCollisionHashMap.modCount in com.alibaba.fastjson.util.AntiCollisionHashMap.removeMapping(Object) |
Code | Warning |
---|---|
Bx | com.alibaba.fastjson.JSONPath.compare(Object, Object) invokes inefficient new Long(long) constructor; use Long.valueOf(long) instead |
SBSC | com.alibaba.fastjson.util.TypeUtils.checkPrimitiveArray(GenericArrayType) concatenates strings using + in a loop |
SIC | Should com.alibaba.fastjson.support.spring.PropertyPreFilters$MySimplePropertyPreFilter be a _static_ inner class? |
UrF | Unread field: com.alibaba.fastjson.asm.ClassWriter.thisName |
UrF | Unread field: com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.featureValues |
UrF | Unread field: com.alibaba.fastjson.support.retrofit.Retrofit2ConverterFactory.parserConfig |
UuF | Unused field: com.alibaba.fastjson.asm.ClassWriter.typeTable |
UuF | Unused field: com.alibaba.fastjson.asm.Label.inputStackTop |
UuF | Unused field: com.alibaba.fastjson.asm.Label.next |
UuF | Unused field: com.alibaba.fastjson.asm.Label.outputStackMax |
UuF | Unused field: com.alibaba.fastjson.asm.Label.successor |
Code | Warning |
---|---|
BC | instanceof will always return true for all non-null values in com.alibaba.fastjson.JSONPath.paths(Map, Map, String, Object, SerializeConfig), since all String are instances of String |
BC | Unchecked/unconfirmed cast from reflect.AccessibleObject to reflect.Constructor in com.alibaba.fastjson.util.ASMUtils.lookupParameterNames(AccessibleObject) |
DLS | Dead store to val in com.alibaba.fastjson.JSONPath.deepSet(Object, String, long, Object) |
IM | Check for oddness that won't work for negative numbers in com.alibaba.fastjson.util.RyuFloat.toString(float, char[], int) |
NP | Load of known null value in com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.deserialze(DefaultJSONParser, Type, Object, Object, int, int[]) |
RCN | Redundant nullcheck of dateFormat, which is known to be non-null in com.alibaba.fastjson.serializer.CalendarCodec.write(JSONSerializer, Object, BeanContext) |
RCN | Redundant nullcheck of object, which is known to be non-null in com.alibaba.fastjson.serializer.JavaBeanSerializer.write(JSONSerializer, Object, Object, Type, int, boolean) |
RCN | Redundant nullcheck of com.alibaba.fastjson.util.FieldInfo.method which is known to be null in new com.alibaba.fastjson.util.FieldInfo(String, Class, Class, Type, Field, int, int, int) |
RCN | Redundant nullcheck of builderClass, which is known to be non-null in com.alibaba.fastjson.util.JavaBeanInfo.build(Class, Type, PropertyNamingStrategy, boolean, boolean, boolean) |
REC | Exception is caught when Exception is not thrown in com.alibaba.fastjson.JSON.parseObject(byte[], int, int, Charset, Type, ParserConfig, ParseProcess, int, Feature[]) |
REC | Exception is caught when Exception is not thrown in new com.alibaba.fastjson.parser.deserializer.EnumDeserializer(Class) |
REC | Exception is caught when Exception is not thrown in com.alibaba.fastjson.serializer.JSONObjectCodec.write(JSONSerializer, Object, Object, Type, int) |
REC | Exception is caught when Exception is not thrown in com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
SF | Switch statement found in com.alibaba.fastjson.asm.ClassReader.readUTF(int, int, char[]) where default case is missing |
ST | Write to static field com.alibaba.fastjson.parser.ParserConfig.awtError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type) |
ST | Write to static field com.alibaba.fastjson.parser.ParserConfig.guavaError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type) |
ST | Write to static field com.alibaba.fastjson.parser.ParserConfig.jdk8Error from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type) |
ST | Write to static field com.alibaba.fastjson.parser.ParserConfig.jodaError from instance method com.alibaba.fastjson.parser.ParserConfig.getDeserializer(Class, Type) |
ST | Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int) |
ST | Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_error from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int) |
ST | Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_getInstance from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int) |
ST | Write to static field com.alibaba.fastjson.serializer.AnnotationSerializer.sun_AnnotationType_members from instance method com.alibaba.fastjson.serializer.AnnotationSerializer.write(JSONSerializer, Object, Object, Type, int) |
ST | Write to static field com.alibaba.fastjson.serializer.MiscCodec.method_paths_get from instance method com.alibaba.fastjson.serializer.MiscCodec.deserialze(DefaultJSONParser, Type, Object) |
ST | Write to static field com.alibaba.fastjson.serializer.MiscCodec.method_paths_get_error from instance method com.alibaba.fastjson.serializer.MiscCodec.deserialze(DefaultJSONParser, Type, Object) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.awtError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.guavaError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.jdk8Error from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.jodaError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.oracleJdbcError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
ST | Write to static field com.alibaba.fastjson.serializer.SerializeConfig.springfoxError from instance method com.alibaba.fastjson.serializer.SerializeConfig.getObjectWriter(Class, boolean) |
UC | Useless condition: it's known that ch == '\\' at this point |
UC | Useless condition: it's known that predicateFlag == false at this point |
UC | Useless condition: it's known that this.deep == false at this point |
UC | Useless object stored in variable typeTable of method com.alibaba.fastjson.asm.ClassReader.readMethod(TypeCollector, char[], int) |
UC | Useless condition: it's known that rest >= 9 at this point |
UC | Useless condition: it's known that c < 57344 (0xe000) at this point |
UC | Useless condition: it's known that c >= 56320 (0xdc00) at this point |
UrF | Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.charset |
UrF | Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.features |
UrF | Unread public/protected field: com.alibaba.fastjson.support.spring.FastJsonJsonView.filters |
This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
This instanceof test will always return true (unless the value being tested is null). Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. If you really want to test the value for being null, perhaps it would be clearer to do better to do a null test rather than an instanceof test.
Using new Integer(int)
is guaranteed to always result in a new object whereas
Integer.valueOf(int)
allows caching of values to be done by the compiler, class library, or JVM.
Using of cached values avoids object allocation and the code will be faster.
Values between -128 and 127 are guaranteed to have corresponding cached instances
and using valueOf
is approximately 3.5 times faster than using constructor.
For values outside the constant range the performance of both styles is the same.
Unless the class must be compatible with JVMs predating Java 5,
use either autoboxing or the valueOf()
method when creating instances of
Long
, Integer
, Short
, Character
, and Byte
.
This non-final class defines a clone() method that does not call super.clone(). If this class ("A") is extended by a subclass ("B"), and the subclass B calls super.clone(), then it is likely that B's clone() method will return an object of type A, which violates the standard contract for clone().
If all clone() methods call super.clone(), then they are guaranteed to use Object.clone(), which always returns an object of the correct type.
Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks
A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.
See SEI CERT Rule OBJ-11
for more information.
This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
Note that Sun's javac compiler often generates dead stores for final local variables. Because SpotBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object. This produces mediocre quality random numbers and is inefficient. If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number is required invoke a method on the existing Random object to obtain it.
If it is important that the generated Random numbers not be guessable, you must not create a new Random for each random number; the values are too easily guessable. You should strongly consider using a java.security.SecureRandom instead (and avoid allocating a new SecureRandom for each random number needed).
This code creates a classloader, which needs permission if a security manage is installed. If this code might be invoked by code that does not have security permissions, then the classloader creation needs to occur inside a doPrivileged block.
Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
This code compares java.lang.String
objects for reference
equality using the == or != operators.
Unless both strings are either constants in a source file, or have been
interned using the String.intern()
method, the same string
value may be represented by two different String objects. Consider
using the equals(Object)
method instead.
This code compares a java.lang.String
parameter for reference
equality using the == or != operators. Requiring callers to
pass only String constants or interned strings to a method is unnecessarily
fragile, and rarely leads to measurable performance gains. Consider
using the equals(Object)
method instead.
This class defines a compareTo(...)
method but inherits its
equals()
method from java.lang.Object
.
Generally, the value of compareTo should return zero if and only if
equals returns true. If this is violated, weird and unpredictable
failures will occur in classes such as PriorityQueue.
In Java 5 the PriorityQueue.remove method uses the compareTo method,
while in Java 6 it uses the equals method.
From the JavaDoc for the compareTo method in the Comparable interface:
It is strongly recommended, but not strictly required that (x.compareTo(y)==0) == (x.equals(y))
.
Generally speaking, any class that implements the Comparable interface and violates this condition
should clearly indicate this fact. The recommended language
is "Note: this class has a natural ordering that is inconsistent with equals."
The code uses x % 2 == 1 to check to see if a value is odd, but this won't work for negative numbers (e.g., (-5) % 2 == -1). If this code is intending to check for oddness, consider using (x & 1) == 1, or x % 2 != 0.
This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the further accesses in the method that set the field serve to initialize the object, then you have a very serious multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized.
Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized.
This method contains an unsynchronized lazy initialization of a non-volatile static field. Because the compiler or processor may reorder instructions, threads are not guaranteed to see a completely initialized object, if the method can be called by multiple threads. You can make the field volatile to correct the problem. For more information, see the Java Memory Model web site.
Calling overridable methods from the clone() method is insecure because a subclass could override the method, affecting the behavior of clone(). It can also observe or modify the clone object in a partially initialized state. Only static, final or private methods should be invoked from the clone() method.
See SEI CERT rule MET06-J. Do not invoke overridable methods in clone().
A final static field references an array and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the array.
A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. Consider wrapping this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.
A mutable static field could be changed by malicious code or by accident from another package. Unfortunately, the way the field is used doesn't allow any easy fix to this problem.
This public static
or protected static
field is not final, and
could be changed by malicious code or
by accident from another package.
The field could be made final to avoid
this vulnerability.
This public static
or protected static
field is not final, and
could be changed by malicious code or
by accident from another package.
The field could be made final to avoid
this vulnerability. However, the static initializer contains more than one write
to the field, so doing so will require some refactoring.
A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null).
A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. This method can be invoked as though it returned a value of type boolean, and the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, this will result in a NullPointerException.
There is a branch of statement that, if executed, guarantees that
a null value will be dereferenced, which
would generate a NullPointerException
when the code is executed.
Of course, the problem might be that the branch or statement is infeasible and that
the null pointer exception cannot ever be executed; deciding that is beyond the ability of SpotBugs.
A reference value which is null on some exception control path is
dereferenced here. This may lead to a NullPointerException
when the code is executed.
Note that because SpotBugs currently does not prune infeasible exception paths,
this may be a false warning.
Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.
SEI CERT rule OBJ01-J requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.
This method compares two Boolean values using the == or != operator.
Normally, there are only two Boolean values (Boolean.TRUE and Boolean.FALSE),
but it is possible to create other Boolean objects using the new Boolean(b)
constructor. It is best to avoid such objects, but if they do exist,
then checking Boolean objects for equality using == or != will give results
than are different than you would get using .equals(...)
.
A value is checked here to see whether it is null, but this value cannot be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.
This method contains a redundant check of a known non-null value against the constant null.
This method contains a redundant check of a known null value against the constant null.
This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.
A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:
try {
...
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
... deal with all non-runtime exceptions ...
}
SEI CERT SEC05-J rule forbids the use of reflection to increase accessibility of classes, methods or fields. If a class in a package provides a public method which takes an instance of java.lang.Class as its parameter and calls its newInstance() method then it increases accessibility of classes in the same package without public constructors. An attacker code may call this method and pass such class to create an instance of it. This should be avoided by either making the method non-public or by checking for package access permission on the package. A third possibility is to use the java.beans.Beans.instantiate() method instead of java.lang.Class.newInstance() which checks whether the Class object being received has any public constructors.
putIfAbsent
method is typically used to ensure that a
single value is associated with a given key (the first value for which put
if absent succeeds).
If you ignore the return value and retain a reference to the value passed in,
you run the risk of retaining a value that is not the one that is associated with the key in the map.
If it matters which one you use and you use the one that isn't stored in the map,
your program will behave incorrectly.
The code contains a conditional test is performed twice, one right after the other
(e.g., x == 0 || x == 0
). Perhaps the second occurrence is intended to be something else
(e.g., x == 0 || y == 0
).
The method seems to be building a String using concatenation in a loop. In each iteration, the String is converted to a StringBuffer/StringBuilder, appended to, and converted back to a String. This can lead to a cost quadratic in the number of iterations, as the growing string is recopied in each iteration.
Better performance can be obtained by using a StringBuffer (or StringBuilder in Java 5) explicitly.
For example:
// This is bad
String s = "";
for (int i = 0; i < field.length; ++i) {
s = s + field[i];
}
// This is better
StringBuffer buf = new StringBuffer();
for (int i = 0; i < field.length; ++i) {
buf.append(field[i]);
}
String s = buf.toString();
This method contains a switch statement where default case is missing. Usually you need to provide a default case.
Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases.
This class is an inner class, but does not use its embedded reference to the object which created it. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary. If possible, the class should be made static.
This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
This class implements the Comparator
interface. You
should consider whether or not it should also implement the Serializable
interface. If a comparator is used to construct an ordered collection
such as a TreeMap
, then the TreeMap
will be serializable only if the comparator is also serializable.
As most comparators have little or no state, making them serializable
is generally easy and good defensive programming.
This condition always produces the same result as the value of the involved variable that was narrowed before. Probably something else was meant or the condition can be removed.
Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
This analysis rarely produces false-positives. Common false-positive cases include:
- This object used to implicitly throw some obscure exception.
- This object used as a stub to generalize the code.
- This object used to hold strong references to weak/soft-referenced objects.
The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
This field is never read. Consider removing it from the class.
This field is never read. The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.
This field is never used. Consider removing it from the class.
This code increments/decrements a volatile field. Increments/Decrements of volatile fields aren't atomic. If more than one thread is incrementing/decrementing the field at the same time, increments/decrements could be lost.